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DETAILED ACTION 

1 . This Office Action is responsive to communications filed on February 28, 2008. 
Claims 1, 3-4, and 6-45 are pending in the case. 

Response to Arguments 

2. Applicant's arguments, see page 14, with respect to the rejection of claims 42-44 
under 35 U.S.C. 103(a) have been fully considered and are persuasive. The rejection of claims 
42-44 has been withdrawn. 

3. Applicant's arguments filed February 28, 2008 regarding the rejection of claims 1, 3, 
4 and 6-37 under 35 U.S.C. 103(a) have been fully considered but they are not persuasiveA 

Applicant's substantially argued: (A) It is improper to combine elements 22 and 1 1 to 
show "a switching element", and (B) Short fails to remedy the deficiency of Eichstaedt. 

(A) Elements 22 and 1 1 were combined to show the monitoring for connection 
transactions between multiple access requestors and access provider using a switching 
component connected to the access provider : 

Applicant's argued that "gateway 22 cannot by itself be the switching component of 
claim 1", see page 15, \2, without elaborating the reasons. As clearly shown in Figure 1, 
gateway 22 (i.e., the switching component) allows connection transactions between multiple 
corporate clients 14 (i.e., multiple access requestors) and system 21 (i.e., access provider) 
wherein the switching component connected to the access providers. 

Applicant's also argued that there is no suggestion to combine the data protection system 
1 1 and gateway 22 in a single component. "Section 103 forbids issuance of a patent when "the 
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difference between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains."" KSR Int'l Co. v. 
Teleflex Inc., 127 S.Ct. 1727, 82 USPQ2d 1385, 1391 (2007). 

In KSR, The Supreme Court emphasized "the need for caution in granting a patent based 
on the combination of element found in the prior art, "id. at 1739, 82 USPQ2d at 1395, and 
discussed circumstances in which a patent might be determined to be obvious without an explicit 
application of the teaching, suggestion, motivation test. In particular, the Supreme Court 
emphasized that "the principles laid down in Graham reaffirmed the "functional approach" of 
Hotchkiss, 11 How. 248." KSR, 127 S.Ct. at 1739, 82 USPQ2d at 1395 (citing Graham v. John 
Deere Co., 383 U.S. 1, 12 (1966) (emphasis added)), and reaffirmed principles based on its 
precedent that "[t]he combination of familiar element according to known methods is likely to be 
obvious when it does not more than yield predictable results." Id. The Court explained: 

When a work is available in one field of endeavor, design incentives and other market 
forces can prompt variation of it, either in the same field or a different one. If a person of 
ordinary skill can implement a predictable variation, 103 likely bars its patentability. For the 
same reason, if a technique has been used to improve one device, and a person of ordinary skill 
in the art would recognize that it would improve similar devices in the same way, using the 
technique is obvious unless its actual application is beyond his or her skill. Id. at 1740, 82 
USPQ2d at 1396. The operative question in this "functional approach" is thus "whether the 
improvement is more than the predictable use of prior art elements according to their established 
functions." Id. In this case, the combination of the data protection system 1 1 and gateway 22 
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provides a predictable result, i.e., monitoring the connection transaction between access 
requestors and access provider, thus it meets the claim. 

Applicant's also argued that since data protection system 1 1 is part of the access provider 
(i.e., system 21), hence it cannot be "connected to access providers". However, as it is well 
known in the art, in order for a component to be a part of the system, the component has be 
connected to the system, either physically or logically, thus it is not clear what applicant is trying 
to imply. 

(B) Short remedies the deficiency of Eichstaedt: 

In response to applicant's arguments against the references individually, one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re 
Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, Eichstaedt teaches 
substantially all the claimed limitations, i.e., monitoring a computer for connection transactions 
between multiple requestors and access provider using a switching component connected to the 
access provider and denying access by attacking requestor to the access providers when a 
number of connection transaction initiated by the attacking access requestor through the 
switching component exceeds a configurable threshold. However, Eichstaedt does not explicitly 
call for multiple access providers. Since Short teaches connections between multiple access 
requestors and multiple access providers, Short remedies the deficiency of Eichstaedt. It also is 
noted that Short is not relied upon to show "monitoring for connection transactions between the 
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multiple user computes and the plurality of networks" thus the argument that 'Short fails to 
describe or suggest monitoring for connection transactions ..." is not valid. 

Applicant's also argued erroneously that "the web server 18 of Eichstaedt monitors for 
connection transactions between multiple client computers 12 and 14 and the single web server 
18" and thus, "each specific web server included in the proposed combination would deny access 
to a requestor only when the specific web server has detected a number of connection 
transactions to the specific web server that exceeds a threshold", see page 18, Tfl. It is noted that 
since Eichstaedt discloses monitoring connection transactions between multiple access 
requestors (12, 14, 16) and an access provider (21) via a switching element (22, 11), and Short 
teaches switching component (10) connected to multiple access providers (20, 22), it is obvious 
and predictable that the monitoring can be provided for connection transaction via a switching 
component between (a) one access requestor and one access provider; (b) multiple access 
requestors and one access providers; or (c) multiple access requestors and multiple access 
providers. Therefore, the combination of Eichstaedt and Short meets the claimed "monitoring 
for connection transactions between multiple access requestors and access provides using a 
switching component connected to the access providers." 

Claim Rejections - 35 USC § 101 
4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claims 15-37 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non- statutory subject matter. 
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As presented in the specification, page 5: lines 4-5 and page 6: lines 24-25, it would 
suggest to one of ordinary skill that all may be reasonably implemented as software routines, 
therefore, claims 15-37 are rejected as a system of software per se, failing to fall within a 
statutory category of invention. 



Claim Rejections - 35 USC § 103 

5. The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office action. 

6. Claims 1-39 and 42-45 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Eichstaedt et al. (U.S. Patent No. 6,662,230), hereinafter Eichstaedt, in view of Short et 
al.(US 6,636,894), hereinafter Short. 

Regarding claims 1, 8-9, 13, 15, 23, 25, 34, 38-39 and 45, as shown in Figures 1-6, 
Eichstaedt discloses: 

monitoring a computer system for connection transactions between multiple requestors 
(12, 14, 16) and an access provider (21) using a switching component (22, 11) connected to the 
access provider (col. 5: lines 32-39; and col. 10: lines 34-43); 

denying access by an attacking access requestor (16) to the access provider (21) when a 
number of connection transactions initiated by the attacking access requestor (e.g., request 
values) through the switching component (1 1) exceeds a configurable threshold number (e.g., 
maximum request values) during a first configurable period of time (col. 6: lines 43-61; and col. 
12: lines 3-20). 
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Eichstaedt also discloses the monitoring includes detecting connection transactions 
between multiple Internet protocol addresses and the access provider with the switching 
components (Eichstaedt; col. 5: lines 32-39; and col. 7: lines 23-49). 

Eichstaedt does not explicitly call for a plurality of access providers. 

As shown in Figure 1 , Short teaches a system and method for providing multiple users 
(14) access to a plurality of networks (22 and 20; col. 6: line 9 - col. 7: line 24). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to apply Short's method of providing multiple users access to a plurality of network 
providers in Eichstaedt' s system, motivated by the need of providing users access to the Internet, 
i.e., a worldwide, publicly accessible network of interconnected computer networks that transmit 
data, consisting of millions of smaller domestic, academic, business, and government networks. 

Regarding claim 3, Eichstaedt-Short also discloses the monitoring further includes 
counting, using the switching component, and comparing the number of connection transactions 
initiated by the access requestors to any of the access providers (e.g., request values) through the 
switching component (e.g., 22, 1 1) during the first configurable period of time (ti) to the 
configurable threshold (e.g., a comparison between the calculated request values and a 
predefined maximum value is made; Eichstaedt; col. 7: lines 5-49). 

Regarding claims 4, 16 and 26, Eichstaedt-Short also discloses: 

the monitoring further includes comparing, using the switching component, the number 
of connection transactions initiated by the access requestors through the switching component 
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during the first configurable period of time to the configurable threshold number (e.g., a 
comparison between the calculated request values and a predefined maximum value is made 
during ti; Eichstaedt; col. 7: lines 5-49); and 

denying access by the attacking access requestor to the access providers includes 
denying, using the switching component, access by the attacking access requestor to all of the 
access providers connected to the switching component when the comparison results indicate 
that the number of connection transactions initiated by the attacking access requestor during the 
first configurable period of time exceeds the configurable threshold number (e.g., denying access 
after failing cumulative data check; Eichstaedt, col. 3: lines 3-38 and col. 9: line 2-53). 

Regarding claim 6, Eichstaedt-Short also discloses the monitoring further includes 
counting, using the switching component, the number of connection transactions initiated to any 
of the access providers by the Internet protocol addresses during the first configurable period of 
time such that the number of connection transactions reflects a cumulative number of connection 
transactions initiated to any of the access providers by the Internet protocol addresses (step 86, 
Figure 4; Eichstaedt, col. 8: line 56 - col. 9: line 15). 

Regarding claims 7, 17 and 27, Eichstaedt-Short also discloses the monitoring further 
includes 

comparing, using the switching component, the number of connection transactions 
initiated by the internet protocol addresses during the first configurable period of time to the 
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configurable threshold number (e.g., a comparison between the calculated request values and a 
predefined maximum value is made during first frequency ti; Eichstaedt; col. 7: lines 5-49); and 

denying access by the attacking access requester to the access providers includes 
denying, using the switching component, access by the attacking access requestor to all of the 
access providers connected to the switching component when the comparison results indicate 
that the number of connection transactions initiated by the Internet protocol address associated 
with the attacking access requestor during the first configurable period of time exceeds the 
configurable threshold number (step 86, Eichstaedt; Figure 4, col. 8: line 56 - col. 9: line 15). 

Regarding claims 10-12, 20-22, and 30-33, Eichstaedt-Short discloses that the denying of 
access includes denying access to the access providers through the switching component (e.g., 
22, 1 1) by the attacking access requestor (e.g., 16) for a second configurable period of time (t ; ) 
after detecting a most recent connection transaction initiated by the attacking requestor through 
the switching component (Eichstaedt; col. 4: lines 12-17, and col. 7: lines 31-49). 

Regarding claims 36, Eichstaedt-Short also discloses a host computer system (e.g., 21) 
receives communication from the switching component (e.g., 22, 11; Eichstaedt, Figure 1). 

Regarding claims 37, Eichstaedt-Short also discloses the switching system (e.g., 22, 1 1) 
is included in a host system (e.g., 21; Eichstaedt, Figure 1). 



Regarding claim 42, Eichstaedt-Short also discloses: 
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the access provides include a first access provider and a second access provide that 
different from the first access provider (20, 22; Short, Figure 1); 

monitoring for connection transactions between multiple access requestors and access 
providers using the switching component connected to the access providers includes: 
detecting, using the switching component, a first number of connection 
transaction initiated by the attacking access requestor to the first access provider during 
the first configurable period of time (e.g., monitoring request frequency to a server for a 
specific client identifier during ti; Eichstaedt; col. 7: lines 5-49), and 

detecting, using the switching component, a second number of connection 
transactions initiated by the attacking access requestor to the second access provider 
during the first configurable period of time (e.g., monitoring request frequency to a server 
for a specific client identifier during ti; Eichstaedt; col. 7: lines 5-49), and 
denying access by the attacking access requestor to the access providers when the number 
of connection transactions initiated by the attacking access requestors through the switching 
component exceeds the configurable threshold number during the first configurable period of 
time includes denying access by the attacking access requestor to both the first access provider 
and the second access provider when a sum of the first number of connection transactions and 
the second number of connection transactions exceeds the configurable threshold number 
(perform frequency check and cumulative data check, the client identifier fails and is rejected if 
the request value exceeds the predefined maxima; Eichstaedt; Figure 4, col. 8: line 56 - col. 9: 
line 53). 



Application/Control Number: 09/666, 1 40 Page 1 1 

Art Unit: 2152 

Regarding claim 43, Eichstaedt-Short also discloses: 

detecting, using the switching component, the first number of connection transactions 
initiated by the attacking access requestor to the first access provider during the first configurable 
period of time includes detecting a first number of connection transactions that exceeds the 
configurable threshold number during the first configurable period of time (e.g., comparing the 
calculated request values and a predefined maximum value is made during ti, obviously the 
calculated request value could be any number, i.e., less than, equal or exceed the predefined 
maxima; Eichstaedt; col. 7: lines 5-49); 

detecting, using the switching component, the second number of connection transactions 
initiated by the attacking access requestor to the second access provider during the first 
configurable period of time includes detecting zero connection transactions initiated by the 
attacking access requestor to the second access provider during the first configurable period of 
time (e.g., comparing the calculated request values and a predefined maximum value is made 
during ti, obviously the calculated request value could be any number, i.e., less than, equal or 
exceed the predefined maxima; Eichstaedt; col. 7: lines 5-49), and 

denying access by the attacking access requestor to both the first access provider and the 
second access provider when a sum of the first number of connection transactions and the second 
number of connection transactions exceeds the configurable threshold number includes denying 
access by the attacking access requestor to both the first access provider and the second access 
provider when the first number of connection transaction exceeds the configurable threshold 
number and the second number of connection transaction is zero (perform frequency check and 



Application/Control Number: 09/666, 1 40 Page 1 2 

Art Unit: 2152 

cumulative data check, the client identifier fails and is rejected if the request value exceeds the 
predefined maxima; Eichstaedt; Figure 4, col. 8: line 56 - col. 9: line 53). 

Regarding claim 44, Eichstaedt-Short also discloses: 

detecting, using the switching component, the first number of connection transactions 
initiated by the attacking access request or to the first access provider during the first 
configurable period of time includes detecting a first number of connection transactions that is 
less than the configurable threshold during the first configurable period of time (e.g., comparing 
the calculated request values and a predefined maximum value is made during ti, obviously the 
calculated request value could be any number, i.e., less than, equal or exceed the predefined 
maxima; Eichstaedt; col. 7: lines 5-49); 

detecting, using the switching component, a second number of connection transactions 
initiated by the attacking access requestor to the second access provider during the first 
configurable period of time includes detecting a second number of connection transactions that is 
less than the configurable threshold number during the first configurable period of time (e.g., 
comparing the calculated request values and a predefined maximum value is made during ti, 
obviously the calculated request value could be any number, i.e., less than, equal or exceed the 
predefined maxima; Eichstaedt; col. 7: lines 5-49), the sum of the first number of connection 
transactions and the second number of connection transactions exceeding the configurable 
threshold number (since log entries is based on client identifiers, it is obvious a cumulative 
request value from a client including connection transactions to all access providers; col. 6: lines 
39-61); and 
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denying access by the attacking access requestor to both the first access provider and the 
second access provider when a sum of the first number of connection transactions and the second 
number of connection transactions exceed the configurable threshold number includes denying 
access by the attacking access requestor to both the first access provider and the second access 
provider when the sum of the first number of connection transactions and the second number of 
connection transactions exceeds the threshold number, even though neither the first number of 
connection transactions nor the second number of connection transactions exceeds the 
configurable threshold number (perform frequency check and cumulative data check, the client 
identifier fails and is rejected if the request value exceeds the predefined maxima; Eichstaedt; 
Figure 4, col. 8: line 56 - col. 9: line 53). 

7. Claims 40-41 are rejected under 35 U.S. C. 103(a) as being unpatentable over 
Eichstaedt, in view of Short, as applied to claim 39 above, and further in view of Lin et al (US 
6,751,668). 

Regarding claim 40, Eichstaedt-Short discloses substantially all the claimed limitations, 
except the establishment of a communication link between the attacking access requestor and 
one of the access providers involving exchange of more than two electronic messages. 

Lin discloses establishment of a communication link between the attacking access 
requestor and one of the access providers involving exchange of more than two electronic 
messages (e.g., SYN and SYN/ACK; Figure 1, col. 2: lines 2-9). 
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It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to utilize Lin's method of responding to service attacks in Eichstaedt- Short's system in 
order to limiting unwanted access to server data. 

Regarding claim 41, Eichstaedt-Short-Lin also discloses: 

determining, using the switching component, that the second configurable time period, 
has passed without detecting a new connection transaction initiated by the attacking access 
requestor to any of the access providers through the switching component (e.g., monitoring the 
rate of receipt of session establishment; Lin, Figure 2: lines 30-43); and 

in response to determining at the second configurable time period has passed without 
detecting a new connection transaction initiated by the attacking access requestor to any of the 
access providers through the switching component, allowing access by an attacking access 
requestor to the access providers (e.g., monitoring the rate of receipt of session establishment is 
less that the MAX SESS RATE, the state machine moves back to the normal state 202; Lin, 
Figure 2: lines 30-43). 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to VAN KIM T. NGUYEN whose telephone number is (571)272- 
3073. The examiner can normally be reached on 8:00 AM - 4:30 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bunjob Jaroenchonwanit can be reached on 571-272-3913. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Van Kim T. Nguyen 

Examiner 

Art Unit 2152 

vkn 

/Bunjob Jaroenchonwanit/ 

Supervisory Patent Examiner, Art Unit 2152 
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